Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36474

Prepared statement with derived table column name specification within used view causing memory use-after-free

Details

    Description

      create table t1 (a int, b int);
      		 
      insert into t1  values (1,1),(2,2),(3,3);
      		 
       
      		 
      create view v1 as select * from (select * from (select a+b from t1)dt) dt2 (c);
      		 
       
      		 
      prepare stmt from "select * from v1;";
      		 
      execute stmt;
      		 
      drop view v1;
      		 
      drop table t1;


      Version: '11.8.1-MariaDB-debug-log' cc831f16c82f00d3531e09c2f5c59eadc0abb0d7
      		 
      =================================================================
      		 
      ==2969600==ERROR: AddressSanitizer: use-after-poison on address 0x62d0003e9598 at pc 0x7f2e10ba3292 bp 0x7f2df5b52a90 sp 0x7f2df5b52238
      		 
      READ of size 4 at 0x62d0003e9598 thread T10 (one_connection)
      		 
          #0 0x7f2e10ba3291 in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:461
      		 
          #1 0x564121fdbfbb in lex_string_set /11.8/src/include/m_string.h:243
      		 
          #2 0x564121ff19a1 in st_select_lex::set_item_list_names(List<Lex_ident_sys>*) /11.8/src/sql/sql_lex.cc:3640
      		 
          #3 0x564121f8cfec in mysql_derived_reinit /11.8/src/sql/sql_derived.cc:1358
      		 
          #4 0x564121f850c1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /11.8/src/sql/sql_derived.cc:200
      		 
          #5 0x5641224be3ec in TABLE_LIST::handle_derived(LEX*, unsigned int) /11.8/src/sql/table.cc:9961
      		 
          #6 0x564121fd1d1c in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /11.8/src/sql/sql_lex.h:4551
      		 
          #7 0x564121ff9342 in st_select_lex::handle_derived(LEX*, unsigned int) /11.8/src/sql/sql_lex.cc:5128
      		 
          #8 0x564122125258 in reinit_stmt_before_use(THD*, LEX*) /11.8/src/sql/sql_prepare.cc:2986
      		 
          #9 0x56412213361c in Prepared_statement::execute(String*, bool) /11.8/src/sql/sql_prepare.cc:5037
      		 
          #10 0x56412212e5ec in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /11.8/src/sql/sql_prepare.cc:4448
      		 
          #11 0x5641221275aa in mysql_sql_stmt_execute(THD*) /11.8/src/sql/sql_prepare.cc:3460
      		 
          #12 0x56412207ebec in mysql_execute_command(THD*, bool) /11.8/src/sql/sql_parse.cc:3995
      		 
          #13 0x56412209a09f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.8/src/sql/sql_parse.cc:7915
      		 
          #14 0x5641220704c3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.8/src/sql/sql_parse.cc:1902
      		 
          #15 0x56412206d15a in do_command(THD*, bool) /11.8/src/sql/sql_parse.cc:1415
      		 
          #16 0x5641225876e9 in do_handle_one_connection(CONNECT*, bool) /11.8/src/sql/sql_connect.cc:1415
      		 
          #17 0x56412258723c in handle_one_connection /11.8/src/sql/sql_connect.cc:1327
      		 
          #18 0x5641232b32c3 in pfs_spawn_thread /11.8/src/storage/perfschema/pfs.cc:2198
      		 
          #19 0x7f2e106ba608 in start_thread /build/glibc-FcRMwW/glibc-2.31/nptl/pthread_create.c:477
      		 
          #20 0x7f2e101f5352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
      		 
       
      		 
      0x62d0003e9598 is located 4504 bytes inside of 32876-byte region [0x62d0003e8400,0x62d0003f046c)
      		 
      allocated by thread T10 (one_connection) here:
      		 
          #0 0x7f2e10c188ff in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x5641240c884e in sf_malloc /11.8/src/mysys/safemalloc.c:126
      		 
          #2 0x5641240975c6 in my_malloc /11.8/src/mysys/my_malloc.c:93
      		 
          #3 0x564124068cf3 in root_alloc /11.8/src/mysys/my_alloc.c:66
      		 
          #4 0x564124069d10 in reset_root_defaults /11.8/src/mysys/my_alloc.c:247
      		 
          #5 0x564121f175ca in THD::init_for_queries() /11.8/src/sql/sql_class.cc:1526
      		 
          #6 0x564122586add in prepare_new_connection_state(THD*) /11.8/src/sql/sql_connect.cc:1253
      		 
          #7 0x5641225872c1 in thd_prepare_connection(THD*) /11.8/src/sql/sql_connect.cc:1348
      		 
          #8 0x5641225876ad in do_handle_one_connection(CONNECT*, bool) /11.8/src/sql/sql_connect.cc:1405
      		 
          #9 0x56412258723c in handle_one_connection /11.8/src/sql/sql_connect.cc:1327
      		 
          #10 0x5641232b32c3 in pfs_spawn_thread /11.8/src/storage/perfschema/pfs.cc:2198
      		 
          #11 0x7f2e106ba608 in start_thread /build/glibc-FcRMwW/glibc-2.31/nptl/pthread_create.c:477
      		 
       
      		 
      Thread T10 (one_connection) created by T0 here:
      		 
          #0 0x7f2e10b84175 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:208
      		 
          #1 0x5641232aeee7 in my_thread_create /11.8/src/storage/perfschema/my_thread.h:38
      		 
          #2 0x5641232b36b6 in pfs_spawn_thread_v1 /11.8/src/storage/perfschema/pfs.cc:2249
      		 
          #3 0x564121c5d2bb in inline_mysql_thread_create /11.8/src/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x564121c76ef1 in create_thread_to_handle_connection(CONNECT*) /11.8/src/sql/mysqld.cc:6261
      		 
          #5 0x564121c7755c in create_new_thread(CONNECT*) /11.8/src/sql/mysqld.cc:6323
      		 
          #6 0x564121c77889 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.8/src/sql/mysqld.cc:6385
      		 
          #7 0x564121c78586 in handle_connections_sockets() /11.8/src/sql/mysqld.cc:6497
      		 
          #8 0x564121c74f54 in run_main_loop /11.8/src/sql/mysqld.cc:5739
      		 
          #9 0x564121c7673b in mysqld_main(int, char**) /11.8/src/sql/mysqld.cc:6162
      		 
          #10 0x564121c5c55c in main /11.8/src/sql/main.cc:34
      		 
          #11 0x7f2e100fa082 in __libc_start_main ../csu/libc-start.c:308
      		 
       
      		 
      SUMMARY: AddressSanitizer: use-after-poison ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:461 in __interceptor_strlen
      		 
      Shadow bytes around the buggy address:
      		 
        0x62d0003e9300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9380: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9400: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9480: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      =>0x62d0003e9580: f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9680: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9700: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9780: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
        0x62d0003e9800: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2969600==ABORTING

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-34931 MDEV-31466 name resolution fails in --view

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              sanja Oleksandr Byelkin
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.